← Back

🔗 Module 14: Layer 2 Security Considerations

🛡️ Mitigating Layer 2 Attacks and Vulnerabilities

CCNA Level Layer 2 Security Switch Security

📋 Overview

This module addresses the critical importance of Layer 2 security in network infrastructure. As the foundation layer providing access to network users, Layer 2 represents a significant vulnerability point where compromise can affect all upper layers. Students will learn about various Layer 2 attacks including MAC table overflow, VLAN hopping, DHCP spoofing, ARP poisoning, and STP manipulation, along with comprehensive mitigation strategies using Cisco security features.

Back to top

🔑 Key Terms

MAC Table Overflow

Attack that floods switch MAC table with fake entries, causing legitimate traffic to be flooded to all ports.

VLAN Hopping

Attack that allows unauthorized access to VLANs by exploiting trunking protocols like DTP.

DHCP Spoofing

Attack using rogue DHCP server to provide false network configuration to legitimate clients.

ARP Poisoning

Attack that corrupts ARP tables by sending gratuitous ARP replies with spoofed information.

Port Security

Cisco feature that limits number of MAC addresses allowed on a switch port.

DHCP Snooping

Security feature that validates DHCP messages and maintains binding database.

Back to top

🔒 Layer 2 Security Threats

Critical Vulnerability

Layer 2 as the Weakest Link

If Layer 2 is compromised, all layers above it are affected. Network administrators routinely protect Layers 3-7 with VPNs, firewalls, and IPS devices, but Layer 2 vulnerabilities can render these protections useless.

Common Layer 2 Attack Types

MAC Table Attacks

Overflow switch MAC tables to cause traffic flooding and enable packet capture.

VLAN Attacks

Bypass VLAN segmentation through hopping and double-tagging techniques.

DHCP Attacks

Disrupt DHCP services through starvation or provide false configuration via spoofing.

ARP Attacks

Poison ARP tables to redirect traffic and enable man-in-the-middle attacks.

Back to top

MAC Table Attacks

Attack Mechanism

MAC Table Overflow

Attackers flood switches with frames containing random source MAC addresses. When the MAC table fills up, subsequent frames are treated as unknown unicast and flooded to all ports, allowing attackers to capture all network traffic.

Mitigation: Port Security

Switch(config)# interface fa0/1
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 1
Back to top

VLAN Attacks

VLAN Hopping Attack

Attack Method

DTP Exploitation

Attackers configure hosts to spoof 802.1Q and DTP signaling to establish trunk links with switches, gaining access to all VLANs.

VLAN Double-Tagging Attack

Attackers embed hidden 802.1Q tags inside frames to access unauthorized VLANs.

Mitigation Strategies

  • Disable DTP on access ports
  • Manually configure trunk ports
  • Use native VLAN other than VLAN 1
  • Implement VLAN access control lists
Back to top

DHCP Attacks

DHCP Starvation

DoS attack that exhausts DHCP pool:

  • Uses tools like Gobbler
  • Creates fake DHCP requests
  • Consumes all available IP addresses
  • Prevents legitimate clients from obtaining IPs

DHCP Spoofing

Rogue DHCP server provides false information:

  • Wrong default gateway (man-in-the-middle)
  • Malicious DNS server addresses
  • Invalid IP addresses (DoS)
  • Intercepts and redirects traffic
Primary Defense

DHCP Snooping

DHCP snooping validates DHCP messages, maintains binding database, and prevents both starvation and spoofing attacks by allowing DHCP responses only from trusted ports.

Back to top

ARP Attacks

ARP Spoofing and Poisoning

Attack Vector

Gratuitous ARP Exploitation

Attackers send unsolicited ARP replies with spoofed MAC addresses, causing hosts to update their ARP tables with incorrect information and redirecting traffic to the attacker.

Attack Tools

  • dsniff
  • Cain & Abel
  • ettercap
  • Yersinia

Mitigation: Dynamic ARP Inspection (DAI)

DAI validates ARP packets against DHCP snooping binding database and drops invalid ARP responses.

Back to top

STP Attacks

STP Manipulation Attack

Attack Strategy

Root Bridge Spoofing

Attackers broadcast BPDUs with lower bridge priority to become root bridge, forcing topology recalculation and capturing traffic from the entire switched domain.

Mitigation: BPDU Guard

BPDU Guard should be implemented on all access ports to prevent unauthorized switches from participating in STP.

Switch(config)# interface fa0/1
Switch(config-if)# spanning-tree bpduguard enable
Back to top

📚 Case Study: Enterprise Layer 2 Security

Comprehensive Implementation

Financial Institution Security Hardening

A regional bank implements comprehensive Layer 2 security across 200 switches, including port security, DHCP snooping, DAI, and BPDU Guard. The implementation reduces security incidents by 85% and provides complete visibility into Layer 2 threats through centralized logging and monitoring.

Back to top

⚠️ Common Pitfalls & Misconceptions

Pitfall

Ignoring Layer 2 Security

Focusing only on Layer 3-7 security while leaving Layer 2 infrastructure vulnerable to attacks.

Best Practice

Layered Security Approach

Implement security at all OSI layers, with particular attention to Layer 2 as the foundation of network security.

Back to top

✅ Quick Checks

  1. Why is Layer 2 considered the weakest link in network security?
    If Layer 2 is compromised, all layers above it are affected, making upper-layer security measures ineffective.
  2. What is the primary mitigation for MAC table overflow attacks?
    Enable port security to limit the number of MAC addresses allowed on each switch port.
  3. How does VLAN hopping work?
    Attackers spoof DTP and 802.1Q signaling to establish trunk links with switches, gaining access to all VLANs.
  4. What are the two main types of DHCP attacks?
    DHCP starvation (exhausting IP address pool) and DHCP spoofing (rogue server providing false information).
  5. How does BPDU Guard prevent STP attacks?
    BPDU Guard disables ports that receive BPDUs, preventing unauthorized switches from participating in STP.
Back to top

📝 Summary

  • Layer 2 security is critical as compromise affects all upper layers
  • MAC table attacks flood switches to enable traffic capture
  • VLAN attacks bypass segmentation through hopping and double-tagging
  • DHCP attacks include starvation and spoofing techniques
  • ARP attacks poison tables to redirect traffic
  • STP attacks manipulate topology to capture traffic
  • Port security, DHCP snooping, DAI, and BPDU Guard provide comprehensive protection
  • Layered security approach essential for complete network protection
Back to top